ODO24 Logo
ODO24 Logo
ODO24 Logo

Pre-DPIA form

This form will help you determine whether the process analysed requires a DPIA

Wondering which processing operations carried out in your organization require conducting a DPIA?

A Data Protection Impact Assessment is a process that helps organizations identify, understand and minimize the risk associated with processing personal data. A DPIA is typically required in the context of processing operations that may result in a high risk to the rights and freedoms of natural persons.

In practice it is not always obvious which processing operations require a DPIA. The GDPR indicates that a DPIA is required when processing may result in a high risk to the rights and freedoms of natural persons, which includes situations such as those listed below (but is not limited to them):

  • systematic and detailed assessments of personal factors, including profiling;
  • large-scale processing of specific categories of data (e.g. biometric data, health data, religious or political belief data, etc.);
  • the monitoring of publicly accessible places on a large scale, in particular by means of visual systems.

In some cases the controller may conclude that processing that meets only one of the criteria listed above will require conducting a Data Protection Impact Assessment. This particularly applies where a given processing operation is included in the list of processing operations requiring a DPIA published by the President of the Polish Data Protection Authority.

Check whether the processing operation requires a DPIA

You will shortly review nine criteria through which you will assess whether the process you are analysing carries a high risk of infringing the rights and freedoms of individuals. If you answer "yes" to at least two questions, conducting a DPIA for your processing operation will be mandatory. Remember that some processing operations meet only one of the listed criteria yet still require a DPIA. This applies in particular to processing operations listed in registers published by European supervisory authorities

Indicate the name of the process you are analysing in relation to the obligation to perform the DPIA.

In particular, this involves assessment or scoring, including profiling and forecasting, based on aspects relating to work performance, economic situation, health, personal preferences or interests, reliability or behaviour, location or movement of the data subject.

Examples:

  • A financial institution verifies its clients in credit reference databases, anti-money laundering and terrorist financing databases, or financial fraud databases.
  • The biotechnology undertaking shall offer consumers direct access to genetic testing to assess and predict health risks, including disease outcomes.
  • The company is analyzing how its website is used to create user behaviour and marketing profiles.
  • It involves profiling users of social networks and mobile applications in order to target them with personalized marketing content.
  • The creditworthiness assessment shall be carried out using artificial intelligence algorithms, whilst obtaining data that is not directly related to that assessment, despite the confidentiality of the process.
  • Analysis of lifestyle, nutrition, driving or leisure information for the purposes of, among other things, determining or increasing insurance premiums (so-called premium optimisation).

Automated decision-making is the process by which decisions affecting individuals are made or approved without any significant human intervention. These decisions are based on automated data analysis, often using algorithms and machine learning technology.

The term 'decision with legal effect' refers to a decision that has a direct effect on the rights, obligations or legal status of the data subject. Examples include decisions to grant credit, employment decisions or insurance decisions.

"Similarly significant effect" refers to decisions that may not have a direct legal effect but have a significant impact on an individual's personal life. For example, automated profiling based on internet browsing habits that leads to personalised product or service offers may have a "similarly significant effect".

Examples:

  • Traffic monitoring systems used for traffic management that enable close monitoring of drivers and their behaviour, for example, automatic identification of licence plates or charging for specific areas.
  • Systems for analyzing customer data to determine their purchase preferences or to automatically match individual prices and promotions.
  • Tracking purchasing history and customer purchasing preferences.
  • Automatic decision-making on granting or refusing credit.
  • Automated decision-making on entitlement to social benefits.
  • Automatic decision-making on granting of scholarships.
  • Automated decision-making on professional qualifications.

This point refers to situations where personal data is collected as a result of observing, monitoring or controlling data subjects. This process may involve various methods and technologies, such as CCTV monitoring, location tracking via GPS devices, monitoring of online activities such as tracking browsing habits or social media analysis.

Examples:

  • Monitoring of public service users using data that is not necessary. For example, a city office application for booking visits collects location data, even though only basic details such as name, address and date of meeting are required to provide the service.
  • Data collection and processing by applications installed on mobile devices, including integrated with the user's uniform, helmet or other personal equipment.
  • Vehicle tracking systems that communicate with the environment e.g. other vehicles or road infrastructure.
  • Use of RFID technology (e.g. tags or labels) if it can be associated with specific persons.
  • Automated identification of registration plates, e.g. on motorways, parking lots or urban areas.
  • Electronic systems in public transport e.g. cameras and tickets that can reveal patterns of movement of passengers and charging systems that record location data.
  • Processing of passenger data such as Passenger Name Record PNR.
  • Systems that automatically reject requests or services for so-called 'blacklisted' persons (e.g. criminals).
  • Visual monitoring of public events using drones.
  • Constant surveillance of the public space with cameras.
  • Mass or systematic processing of personal data by law enforcement authorities in the context of crime or misconduct.

Special categories of personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic data, biometric data processed for the purpose of uniquely identifying a natural person or data concerning the health, sexuality or sexual orientation of that person. The WP 248 Guidelines indicate that, in addition to special categories of data within the meaning of Article 9 of the RODO and conviction data within the meaning of Article 10 of the RODO, 'sensitive data' in the common meaning of that phrase should also be sensitive. In particular, financial data, location data, data contained in private and personal notes were considered to be such data.

Examples:

  • Processing of party affiliation or electoral preference data by both public and private entities.
  • The regular collection of measurement data is used to monitor lifestyle, mobility, media use or internet activity, for example, geolocation data, smart metering data and billing data.
  • Storage of medical records by hospitals.
  • Keeping detailed criminal records by private detectives.
  • Processing of highly personal data such as identity documents, private messages, e-reader notes, entries in applications that record daily activity.
  • Creating or using databases containing information on offences and offences.
  • Development or modification of health information systems (e.g. medical applications, e-health systems).
  • Developing new mobile health monitoring apps.
  • Direct marketing based on specific categories of data, e.g. advertising medicines or health supplements based on data from health applications.
  • Building interfaces or applications to access crime and misdemeanor records.
  • The implementation or use of e-health systems, such as electronic medical records (EMRs), e-prescriptions, e-referrals or patient portals that allow access to test results and treatment histories.
  • Facial recognition technologies.
  • Biometric authentication in mobile devices (e.g. fingerprint, facial scan).
  • Conducting medical diagnoses.
  • Running a DNA test.
  • Conduct medical research, including an assessment of the likelihood of disease.

When determining whether processing is carried out on a large scale, factors such as the number of data subjects, the percentage of a given population group, the scope of personal data processed, the duration of processing and the geographical scope of processing should be taken into account. The concept of "large scale" has no single numerical definition and may vary depending on context and interpretation. Case law of European supervisory authorities indicates attempts to give this concept a measurable character, e.g. the Czech supervisory authority states that processing data of 10,001 persons or 0.01% of the population may be considered large-scale processing. More information on this topic can be found in our article.

Examples:

  • Central databases used to manage a specific group of persons in connection with the performance of public tasks (e.g. citizen, student, patient registers).
  • Collecting a wide range of user activity data, such as browsed websites, purchase history, purchase preferences or TV and radio programmes viewed.
  • Processing of patient data by hospitals as part of the provision of medical services and health documentation.
  • Collecting data on the travel routes of passengers using urban public transport (e.g. via electronic tickets or city cards).
  • Real-time customer location tracking, e.g. through an international network of fast food restaurants to optimize services or promotional offers.
  • Processing of customer data by banks and insurance undertakings as part of daily operations (e.g. risk assessment, customer relationship management).
  • Use of personal data by internet search engines to personalize advertisements based on user behaviour (so-called behavioural advertising).
  • Processing of data by telecommunications service providers (e.g. data on calls, messages, internet use).
  • Loyalty programs that collect customer purchasing and preference data to offer personalized benefits.
  • Electronic communications data processed by telecommunications operators (e.g. location, billing, connection history).
  • National registers of personal data maintained by public authorities or authorised entities (e.g. PESEL, CEIDG).
  • Financial data and information on the use of financial services by banks, savings banks and other financial institutions (e.g. transaction history, credit scoring).

Matching or linking datasets refers to the combination of data from two or more data processing operations carried out for different purposes or by different data controllers in a way that goes beyond the legitimate expectations of data subjects. Examples of such data linking may include the matching of insurers' data with insurance claims data to analyse trends and causal relationships, the matching of absenteeism data with data on employees' gender, age and education, the analysis of shopping habits or habits of use of communication services. Matching or combining data sets may exceed the expectations of data subjects and therefore requires particular care and compliance with the principles of the DPA.

Examples:

  • Combining insurance data with claims information to analyse trends, market shares and cause-and-effect relationships (for example, between the type of policy and the number of claims reported).
  • Combining data on staff absences with demographic information such as gender, age or level of education to analyse reasons for absences or to optimize HR policies.
  • Analysis of purchasing habits and movements, e.g. for marketing purposes, service planning or personalization of offers.
  • Analysis of user behaviour in electronic communications, including how devices are used, content is viewed or the frequency of logging in.
  • Analysis of big data in public registers, for example linking information from the register of personal evidence, the social security system and the database of beneficiaries of social assistance which may lead to the disclosure of patterns of behaviour, health or economic situation of the person concerned.

As indicated by the European Data Protection Board (WP 248), this is, in particular, "about the imbalance of power between the data subjects and the controller". Vulnerable persons include, in particular:

Examples:

  • children
  • employees in relation to the employer
  • persons with mental illness
  • persons applying for asylum
  • migrants
  • elderly persons
  • Patients
  • persons with limited legal capacity or persons without legal capacity

The juxtaposition of this criterion with the pace of technology development means that this rationale may increasingly be a factor in the decision to carry out a mandatory DPIA. As at the date of commissioning this form, "innovative use" can refer to new ways of processing data that are significantly different from traditional methods. Examples include the use of artificial intelligence to analyse data, the introduction of advanced customer profiling using machine learning algorithms or the use of blockchain technology to store data.

Examples:

  • Remote measurement systems that by reason of the scope and frequency of the data collected enable the profiling of individuals or groups (e.g. smart energy meters, environmental sensors).
  • Metadata analysis systems, e.g. processing data contained in images (such as geolocation, execution time, device type) to determine user behaviour or location.
  • Data processing systems from mobile and wearable devices (smartwatches, fitness bands, beacons) that analyse and transmit information to service providers via mobile applications.
  • Devices integrated with interfaces such as microphones, cameras or loudspeakers that communicate over telecommunications networks and enable data to be collected and transmitted (for example, smart speakers, voice assistants, smart home systems).
  • Children's devices and services that process personal data often without the user's full knowledge of the scope and purpose of their use.
  • Telemedical consultations with centres outside the EU where sensitive medical data is transmitted to third countries.
  • Integrated biometric systems combining facial recognition technology with fingerprint reading to increase the level of physical security (e.g. access control).
  • The use of drones to collect visual or environmental data, often in a mass or directly identifying natural persons.
  • Intelligent video analysis systems that automatically recognise objects, persons or behaviours (e.g. monitoring systems with facial, movement or anomalous event detection function).
  • Systems that use artificial intelligence (AI) to process personal data, among other things, to profile users, make decisions (for example, credit scoring), detect anomalies or predict behaviour.

This includes processing operations intended to enable data subjects to access the service or to enter into a contract, to change that access or to refuse access.

Examples:

  • Taking credit decisions towards potential customers on the basis of data from debtor registers or other economic information databases.
  • Dependence on access to the service on financial information, such as income, monthly expenses or other data obtained through user profiling.
  • National electronic charging systems where the ability to use the service (for example, public transport) may be automatically blocked on the basis of system data (such as a lack of charge in e-TOLL).

In some cases, a controller may consider that processing that meets only one of the above criteria will require a DPIA. This is particularly the case where the processing operation in question is on the list of processing operations requiring a DPIA published by the President of the Office for the Protection of Personal Data.

Disclaimer

For a reliable determination of whether a Data Protection Impact Assessment (DPIA) is required, it is recommended to carefully and comprehensively complete all fields of this tool. Each element, including the risk to the rights and freedoms of natural persons, should be considered with due diligence, in accordance with the requirements set out in Article 35 GDPR. For this reason, this form may at most serve as an auxiliary tool and cannot be the sole basis for making decisions by any entity or any person who uses the form at their own risk. ODO 24 sp. z o.o. shall not be liable to any entity or any person for any direct or indirect consequences of using the form, in particular in the form of damages, liability to pay compensation or redress, imposed administrative fines, loss of profits or other adverse consequences.

DPIA required?

?
PIOD Icon

Pre-DPIA - questions and answers

What is a DPIA?

DPIA (Data Protection Impact Assessment), that is an assessment of the impact on data protection, is a process that helps organisations identify and minimise the risks associated with the processing of personal data.

Under the GDPR a DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of natural persons. A DPIA is a useful tool for building and demonstrating compliance with the GDPR. It should include a review of projects in which personal data are processed, an assessment of the risks to the rights of the data subjects concerned, and the identification of measures that can be applied to reduce that risk.

When is a DPIA required?

Under the GDPR the obligation to carry out a Data Protection Impact Assessment (DPIA) arises when the planned processing of personal data may involve a high risk to the rights and freedoms of natural persons. The GDPR indicates three situations in which a DPIA is particularly required:

  • systematic, comprehensive evaluation of personal factors relating to natural persons, which is based on automated processing, including profiling, and forms the basis for decisions producing legal effects concerning the natural person or similarly significantly affecting the natural person;
  • processing on a large scale of special categories of personal data referred to in Article 9(1) of the GDPR, or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR;
  • systematic monitoring on a large scale of publicly accessible places.
Who carries out a DPIA?

The Data Protection Impact Assessment (DPIA) is carried out by the data controller. It is the data controller who is responsible for ensuring that the processing of data is lawful, which includes carrying out a DPIA where required.

Although the data controller is responsible for carrying out the DPIA, they may involve other parties, e.g. data protection advisors, external consultants or Data Protection Officers (DPOs), to assist them in this process. It is important that all involved have the appropriate experience and knowledge to make a proper assessment of the risks associated with the processing of data.

In many cases the Data Protection Officer (DPO) plays a key role in conducting the DPIA. The DPO can advise on whether a DPIA is required, supervise its conduct and ensure that appropriate steps have been taken to minimise the risks to the rights and freedoms of the data subjects.

In summary, although the responsibility for carrying out the DPIA rests with the data controller, the process may be carried out by different individuals or teams depending on the structure and resources of the organisation.

Does the GDPR require that a data protection impact assessment be carried out for every processing operation?

No, the GDPR does not require that a data protection impact assessment (DPIA) be carried out for every processing operation. A DPIA is required only where the envisaged processing is likely to result in a high risk to the rights and freedoms of natural persons.

In particular, the GDPR lists three types of processing operations that will typically require a DPIA:

  • a systematic and comprehensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling, and serving as the basis for decisions producing legal effects concerning the natural person or similarly significantly affecting the natural person;
  • large-scale processing of special categories of personal data referred to in Article 9(1) of the GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR;
  • systematic monitoring on a large scale of publicly accessible places.
Does the processor have to carry out a DPIA?

Under the GDPR, responsibility for carrying out a data protection impact assessment (DPIA) lies with the data controller, not the processor. The data controller is the entity that determines the purposes and means of processing personal data, whereas the processor processes data on the controller's instructions.

However, in practice the processor may be involved in the DPIA process and may provide valuable information to help the controller understand what risks are associated with the processing and how to mitigate them. Processors can make a significant contribution to the DPIA process through their expertise and experience in the technology and data processing operations.

How often should a DPIA be carried out?

A data protection impact assessment (DPIA) should be carried out before starting a new type of data processing that is likely to result in a high risk to the rights and freedoms of natural persons.

In particular, a DPIA should be carried out when the implementation of new technologies or new forms of data processing is planned, and also when the context, nature, scope, purpose of the processing or the risks associated with the processing change.

Moreover, a DPIA should be treated as a "living document", which means it should be reviewed and updated regularly, especially when the circumstances of the processing change. However, the GDPR does not specify exact timeframes for reviewing a DPIA.

How should the risk-based approach referred to in the GDPR be understood?

A risk-based approach in the context of the GDPR means that organisations must take data protection measures that are proportionate to the level of risk posed by the processing of personal data.

Risk is the potential for harm to the rights and freedoms of natural persons arising from the processing of their personal data. This can include, for example, risks to privacy, financial risks, reputational risks, and in some cases even physical risks. The level of risk may vary depending on many factors, such as the type of data processed, the manner in which it is processed, and the number of individuals whose data are processed.

A risk-based approach means that organisations must first assess these risks (for example by carrying out a data protection impact assessment – DPIA), and then take appropriate steps to reduce them to an acceptable level. This may include various measures, such as technical safeguards (e.g. encryption), organisational safeguards (e.g. staff training) and others.

A risk-based approach means that not all forms of data processing require the same level of protection. For example, processing particularly sensitive data, such as health data, may require greater protection than processing less sensitive data, such as first names and e-mail addresses.

How long should DPIA results be retained?

The GDPR does not specify a concrete retention period for the results of a Data Protection Impact Assessment (DPIA). However, under the general accountability principles of the GDPR, DPIA results should be retained for the entire period of processing to which those results relate.

This is necessary because DPIA results may be required to demonstrate compliance with the GDPR, e.g. in the event of an inspection carried out by the supervisory authority. Moreover, because the GDPR requires regular review and updating of DPIAs, retaining the results of previous assessments can be useful for tracking changes in the risk associated with data processing and the effectiveness of the mitigation measures implemented.

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.